Downclimb: Summit Route’s Weekly Infosec News Recap
2016.03.20 – 2016.03.27: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com
Quotes
“It’s better to have a media strategy than a security strategy.” Greg Ferro on Home Depot’s paltry $19.5M settlement for their 2014 breach involving 40M credit cards.
“The hard bit of crypto isn’t #crypto design. It’s fighting the awful OpenSSL APIs which actively encourage serious crypto and memory bugs.” @pwnallthethings
“You do background checks on your employees. Why not for the software you run?” Chris Wysopal
“In the eyes of most people, security’s job is to dream up hypothetical scenarios and then dictate rules based on them.” James Wickett
“New malware variant so good at hiding itself, it thwarts own infection checks. ends up local dosing.” Satoshi Nakamoto
“Dear npm developers: you’re literally a code distribution platform. You do RCE as a service. This is meaningless: https://www.kb.cert.org/vuls/id/319816” Tony Arcieri
“In the 44 days since we introduced [the red lock icon in gmail], the amount of inbound mail sent over an encrypted connection increased by 25%.” Google Security Blog
Top stories
NPM left-pad debacle
A javascript developer unpublished more than 250 of his modules from NPM over legal concerns. One of them, named “left-pad”, was widely used (millions of downloads per month). This broke many projects. This had no immediate infosec related consequences, but it did show people how random developers can impact so many larger projects and possibly impact sites that rely on those projects. Some of these modules are just one line of code, but by importing them like this, it would be possible for someone malicious to get code execution in many places.
Techniques for combatting ransomware
As noted by FireEye and others, there has been a huge increase of ransomware recently, specifically Locky. To combat it, a few researchers have proposed solutions. In the post Proactively Reacting to Ransomware, the researcher proposes creating file canaries that can be monitored to see if something tries to encrypt them. A similar technique was proposed a few weeks ago with PoC driver code in the project ofercas/ransomware_begone.
Another post titled Abusing bugs in the Locky ransomware to create a vaccine showed direct attacks against Locky, for example, Locky will not attack Russian systems, so “It is therefore possible to set the system language to Russian to prevent from being infected but the system is likely to be hardly usable for many people :)”. Other solutions include setting an ACL on the Locky registry key and some more technical tricks. I personally am hesitant to consider using these as real solutions to combatting ransomware, but it’s good to see people considering new options.
Newspaper news
- U.S. indicts Iranians for hacking dozens of banks, New York dam: Like we saw in May 2014, where the US indicted 5 Chinese military hackers, the US has now indicted 7 Iranian hackers. From the reuters article “U.S. officials largely completed the investigation more than a year ago, according to two sources familiar with the matter, but held off releasing the indictment so as to not jeopardize the landmark 2015 nuclear deal with Iran or a January prisoner swap.” However, as was the case with the Chinese indictment in which nothing actually happened beyond the indictment, I do not expect anything will happen with these hackers either.
- FBI getting help to unlock terrorist’s iPhone without Apple: Apple and the FBI have been caught up in a legal battle to unlock the iPhone of the San Bernardino shooter. The FBI has supposedly started working with a company called ‘Cellebrite’ to help unlock the phone without needing Apple to codesign special code.
Conference materials and publications
- Real Crypto Has Broken Curves: Duo Tech talk by @tqbf (Thomas H. Ptacek).
Other reads
- Apple Updates: Apple put out new versions of iOS and OSX this week, finally fixing the SSH “No Roaming” vuln (CVE-2016-0777), that’s been known since January.
- Using OS X FSEvents to Discover Deleted Malicious Artifacts: Post from Crowdstrike on using the OSX capability called FSEvents to record file system activity.
- On the Impending Crypto Monoculture: Peter Gutmann discusses how all crypto mechanisms are moving toward schmemes devised by Dan Bernstein (DJB), with the conclusion being that it’s not so much that everything is moving toward his schemes, but rather that we’re moving away from all the alternatives.
- Ukraine emerges as bogus BGP source: This article points out a couple of interesting BGP rerouting attacks, including one performed by a spammer, another against APRICOT which is a technical conference which focuses on topics like routing security, and more. Although BGP routing attacks have been known about for a long time (and unfortunately little can be done to stop them), they were previously viewed as likely only being in the domain of nations, however these incidents clearly show they can be accomplished with much fewer resources.